David Ely

Don't Provide Your Email Password to Another Service

There’s a feature on some websites you might have seen recently. They offer to import your address book from a webmail service like Gmail and check to see which of your friends are already using their service. (Some will even spam your friends who aren’t without asking you, but that’s the subject for a whole different article on best practices.) This feature–asking for your Gmail, Hotmail, etc. password to check your address book–has become common practice on a lot of social network sites, and this is a very bad thing.

Don’t give out your email password to any third-party service, just like you wouldn’t ever give out your ATM PIN. It’s a bad idea, and it’s inappropriate of them to be asking for it. They’re asking you to trust their privacy policy, and they’re probably a new small company with no reputation you can look into. But even Facebook does this. With the login and password to your email account, any unscrupulous person with access to that data can very easily steal your identify by using the “I forgot my password” link on any other website where you have an account, quite possibly including your bank.

A new technology called OAuth has just made some news which will allow websites to share information like online address book contents without the need to swap passwords back and forth. This is exactly what’s needed, but it will take time for many services to evaluate and implement. Six Apart’s David Recordon wrote a good piece explaining OAuth. In the meantime, make it a practice never to type in your Gmail password anywhere but a Google site.